Patelco Credit Union says ransomware attack impacted more than a million people

Patelco Credit Union, a Dublin, California-based not-for-profit credit union, said that the data security incident it suffered in June compromised the sensitive personal information of more than 1 million individuals.

 

In a filing with the Office of Maine Attorney General, Patelco said that on June 29, it was a victim of a ransomware incident that involved threat actors infiltrating its internal network and accessing portions of its database.

 

The credit union immediately launched an investigation, with assistance from external cyber security experts, to determine the scope of the incident. It also took steps to contain the incident, including disabling the unauthorised access to its internal network and notifying law enforcement authorities about the incident.

 

“The investigation revealed that an unauthorised party gained access to our network on May 23, 2024, leading to access to the databases on June 29, 2024,” the credit union told the Attorney General’s office.

 

The ransomware incident compromised members’ names, Social Security numbers, driver’s license numbers, dates of birth, and email addresses. While Patelco initially said that it identified 726,000 individuals who were impacted by the incident, the credit union said in a fresh filing with the Maine state regulator that at least 1,009,472 individuals were impacted by the ransomware attack.

 

Patelco Credit Union has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and state attorney general.

 

It has also offered two years of complimentary identity protection and credit monitoring services through Experian IdentityWorks to all affected individuals.

 

On August 15, the RansomHub group claimed responsibility for the cyber attack on Patelco and listed it as a victim on its data leak site. The group claimed to have negotiated with the financial organisation for two weeks, but failed to get a ransom payment out of it. Following the failed negotiation, the hacker group put up the stolen data for sale on the dark web.